Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/27/2013 10:20 AM, Martin Kosek wrote:
> On 06/21/2013 02:18 PM, Tomas Babej wrote:
>> On 06/21/2013 02:15 PM, Martin Kosek wrote:
>>> On 06/21/2013 02:11 PM, Tomas Babej wrote:
On 06/20/2013 06:00 PM, Simo Sorce wrote:
> On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
>> On 06/20/2013 05:44 PM, Simo Sorce wrote:
>>> On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
On 06/20/2013 05:15 PM, Tomas Babej wrote:
> Hi,
>
> Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
> by pkiuser group.
>
> https://fedorahosted.org/freeipa/ticket/3727
>
> Tomas
>
NACK. This won't fly. pkiuser is created by FreeIPA when server is
installed,
thus you cannot just simply change ownership in our spec file because
in
the
time when package is installed or updated, pkiuser may not exist.
I think you need to delete the %attr from spec file and set the correct
ownership during ipa-{server,ca}-install. When CA is configured, we
should
also
probably let ipa-upgradeconfig check this directory and amend when
necessary
(to fix affected IPA CA instances).
>>> Probably even better to not create the directory via rpm at all, but
>>> make ipa-ca-install create it and remove it when --uninstall is run.
>>>
>>> Simo.
>> This could also work, sure. Could we then at least mark this directory
>> in our
>> spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives
>> some
>> information?
> I guess so.
>
> Simo.
>
Updated version attached.
Tomas
>>> Looks good by reading (I did not test it), maybe just one nitpick:
>>>
>>> +root_logger.warning("Error while removing CRL publish "
>>> +"directory: %s" % str(e))
>>>
>>> This should read:
>>> +root_logger.warning("Error while removing CRL publish "
>>> +"directory: %s", e)
>>>
>>> We do not need to format the string before it is really logged and we also
>>> do
>>> not need to convert it to "str" as we already requested the conversion to
>>> string by "%s".
>>>
>>> Martin
>> Fixed.
>>
>> Tomas
>
> The patch itself works fine, but there are still SELinux related questions and
> concerns which may also affect the patch (currently it does not work with
> enforced SELinux).
>
> I posted them to the relevant Bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=976308
>
> Martin
>
I decided not to wait for SELinux bugs to be fixed, the patch will not change
when they are fixed anyway. I will deal with them in another patch.
So ACK, pushed to master, ipa-3-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/21/2013 02:18 PM, Tomas Babej wrote:
> On 06/21/2013 02:15 PM, Martin Kosek wrote:
>> On 06/21/2013 02:11 PM, Tomas Babej wrote:
>>> On 06/20/2013 06:00 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
> On 06/20/2013 05:44 PM, Simo Sorce wrote:
>> On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
>>> On 06/20/2013 05:15 PM, Tomas Babej wrote:
Hi,
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
by pkiuser group.
https://fedorahosted.org/freeipa/ticket/3727
Tomas
>>> NACK. This won't fly. pkiuser is created by FreeIPA when server is
>>> installed,
>>> thus you cannot just simply change ownership in our spec file because in
>>> the
>>> time when package is installed or updated, pkiuser may not exist.
>>>
>>> I think you need to delete the %attr from spec file and set the correct
>>> ownership during ipa-{server,ca}-install. When CA is configured, we
>>> should
>>> also
>>> probably let ipa-upgradeconfig check this directory and amend when
>>> necessary
>>> (to fix affected IPA CA instances).
>> Probably even better to not create the directory via rpm at all, but
>> make ipa-ca-install create it and remove it when --uninstall is run.
>>
>> Simo.
> This could also work, sure. Could we then at least mark this directory in
> our
> spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives
> some
> information?
I guess so.
Simo.
>>> Updated version attached.
>>>
>>> Tomas
>> Looks good by reading (I did not test it), maybe just one nitpick:
>>
>> +root_logger.warning("Error while removing CRL publish "
>> +"directory: %s" % str(e))
>>
>> This should read:
>> +root_logger.warning("Error while removing CRL publish "
>> +"directory: %s", e)
>>
>> We do not need to format the string before it is really logged and we also do
>> not need to convert it to "str" as we already requested the conversion to
>> string by "%s".
>>
>> Martin
> Fixed.
>
> Tomas
The patch itself works fine, but there are still SELinux related questions and
concerns which may also affect the patch (currently it does not work with
enforced SELinux).
I posted them to the relevant Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=976308
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/21/2013 02:15 PM, Martin Kosek wrote:
On 06/21/2013 02:11 PM, Tomas Babej wrote:
On 06/20/2013 06:00 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
On 06/20/2013 05:44 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
On 06/20/2013 05:15 PM, Tomas Babej wrote:
Hi,
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
by pkiuser group.
https://fedorahosted.org/freeipa/ticket/3727
Tomas
NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
thus you cannot just simply change ownership in our spec file because in the
time when package is installed or updated, pkiuser may not exist.
I think you need to delete the %attr from spec file and set the correct
ownership during ipa-{server,ca}-install. When CA is configured, we should
also
probably let ipa-upgradeconfig check this directory and amend when necessary
(to fix affected IPA CA instances).
Probably even better to not create the directory via rpm at all, but
make ipa-ca-install create it and remove it when --uninstall is run.
Simo.
This could also work, sure. Could we then at least mark this directory in our
spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives some
information?
I guess so.
Simo.
Updated version attached.
Tomas
Looks good by reading (I did not test it), maybe just one nitpick:
+root_logger.warning("Error while removing CRL publish "
+"directory: %s" % str(e))
This should read:
+root_logger.warning("Error while removing CRL publish "
+"directory: %s", e)
We do not need to format the string before it is really logged and we also do
not need to convert it to "str" as we already requested the conversion to
string by "%s".
Martin
Fixed.
Tomas
From 21046b4c093568b8b89bcc976ce06801a5a00f36 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 20 Jun 2013 15:49:58 +0200
Subject: [PATCH] Change group ownership of CRL publish directory
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
---
freeipa.spec.in | 6 --
install/Makefile.am | 3 +--
install/tools/ipa-upgradeconfig | 7 ---
ipaserver/install/cainstance.py | 13 +
4 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 239811ac26aa84e1928cefb9c3adac58326ad9a7..d3463f4ef65ec48300bea8fe9773dfe4b3b298f5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -381,7 +381,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
-mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
mkdir %{buildroot}%{_usr}/share/ipa/html/
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@@ -710,7 +709,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
-%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
@@ -819,6 +818,9 @@ fi
%endif # ! %{ONLY_CLIENT}
%changelog
+* Fri Jun 21 2013 Tomas Babej - 3.2.99-3
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+
* Mon Jun 17 2013 Petr Viktorin - 3.2.99-2
- Add the freeipa-tests subpackage
diff --git a/install/Makefile.am b/install/Makefile.am
index b2e6e9a65e1483be6f921280f13ebf7e0dd2469a..c07f571550af9651366234db86da7a0c3ff13480 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -24,9 +24,8 @@ install-exec-local:
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
- mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
+ mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
- chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
uninstall-local:
-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e9216964a045b5a87c22f6eb87bb1844f4adce9..4fbcdb6bf5092c12301f6ec76c5a329f14594fd6 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -690,15 +690,16 @@ def mig
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/21/2013 02:11 PM, Tomas Babej wrote:
> On 06/20/2013 06:00 PM, Simo Sorce wrote:
>> On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
>>> On 06/20/2013 05:44 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
> On 06/20/2013 05:15 PM, Tomas Babej wrote:
>> Hi,
>>
>> Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
>> by pkiuser group.
>>
>> https://fedorahosted.org/freeipa/ticket/3727
>>
>> Tomas
>>
> NACK. This won't fly. pkiuser is created by FreeIPA when server is
> installed,
> thus you cannot just simply change ownership in our spec file because in
> the
> time when package is installed or updated, pkiuser may not exist.
>
> I think you need to delete the %attr from spec file and set the correct
> ownership during ipa-{server,ca}-install. When CA is configured, we should
> also
> probably let ipa-upgradeconfig check this directory and amend when
> necessary
> (to fix affected IPA CA instances).
Probably even better to not create the directory via rpm at all, but
make ipa-ca-install create it and remove it when --uninstall is run.
Simo.
>>> This could also work, sure. Could we then at least mark this directory in
>>> our
>>> spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives
>>> some
>>> information?
>> I guess so.
>>
>> Simo.
>>
>
> Updated version attached.
>
> Tomas
Looks good by reading (I did not test it), maybe just one nitpick:
+root_logger.warning("Error while removing CRL publish "
+"directory: %s" % str(e))
This should read:
+root_logger.warning("Error while removing CRL publish "
+"directory: %s", e)
We do not need to format the string before it is really logged and we also do
not need to convert it to "str" as we already requested the conversion to
string by "%s".
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/20/2013 06:00 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
On 06/20/2013 05:44 PM, Simo Sorce wrote:
On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
On 06/20/2013 05:15 PM, Tomas Babej wrote:
Hi,
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
by pkiuser group.
https://fedorahosted.org/freeipa/ticket/3727
Tomas
NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
thus you cannot just simply change ownership in our spec file because in the
time when package is installed or updated, pkiuser may not exist.
I think you need to delete the %attr from spec file and set the correct
ownership during ipa-{server,ca}-install. When CA is configured, we should also
probably let ipa-upgradeconfig check this directory and amend when necessary
(to fix affected IPA CA instances).
Probably even better to not create the directory via rpm at all, but
make ipa-ca-install create it and remove it when --uninstall is run.
Simo.
This could also work, sure. Could we then at least mark this directory in our
spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives some
information?
I guess so.
Simo.
Updated version attached.
Tomas
From b459cb1bca411940707c94b38848e7bf6acebaf6 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 20 Jun 2013 15:49:58 +0200
Subject: [PATCH] Change group ownership of CRL publish directory
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
---
freeipa.spec.in | 6 --
install/Makefile.am | 3 +--
install/tools/ipa-upgradeconfig | 7 ---
ipaserver/install/cainstance.py | 13 +
4 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 239811ac26aa84e1928cefb9c3adac58326ad9a7..d3463f4ef65ec48300bea8fe9773dfe4b3b298f5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -381,7 +381,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
-mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
mkdir %{buildroot}%{_usr}/share/ipa/html/
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@@ -710,7 +709,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
-%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
@@ -819,6 +818,9 @@ fi
%endif # ! %{ONLY_CLIENT}
%changelog
+* Fri Jun 21 2013 Tomas Babej - 3.2.99-3
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+
* Mon Jun 17 2013 Petr Viktorin - 3.2.99-2
- Add the freeipa-tests subpackage
diff --git a/install/Makefile.am b/install/Makefile.am
index b2e6e9a65e1483be6f921280f13ebf7e0dd2469a..c07f571550af9651366234db86da7a0c3ff13480 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -24,9 +24,8 @@ install-exec-local:
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
- mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
+ mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
- chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
uninstall-local:
-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e9216964a045b5a87c22f6eb87bb1844f4adce9..4fbcdb6bf5092c12301f6ec76c5a329f14594fd6 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -690,15 +690,16 @@ def migrate_crl_publish_dir(ca):
caconfig.CS_CFG_PATH, e)
return False
+# Prepare target publish dir (creation, permissions, SELinux context)
+# Run this every update to ensure proper values
+publishdir = ca.prepare_crl_publish_dir()
+
if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
# publish dir is already updated
root_logger.info('Publish directory already set to new location')
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
return False
-# Prepare target publish dir (permissions, SELinux context)
-publishdir = ca.prepa
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
Simo Sorce wrote:
On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
On 06/20/2013 05:15 PM, Tomas Babej wrote:
Hi,
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
by pkiuser group.
https://fedorahosted.org/freeipa/ticket/3727
Tomas
NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
thus you cannot just simply change ownership in our spec file because in the
time when package is installed or updated, pkiuser may not exist.
I think you need to delete the %attr from spec file and set the correct
ownership during ipa-{server,ca}-install. When CA is configured, we should also
probably let ipa-upgradeconfig check this directory and amend when necessary
(to fix affected IPA CA instances).
Probably even better to not create the directory via rpm at all, but
make ipa-ca-install create it and remove it when --uninstall is run.
Simo.
It should be ghosted at a minimum to show what package owns it.
rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On Thu, 2013-06-20 at 17:47 +0200, Martin Kosek wrote:
> On 06/20/2013 05:44 PM, Simo Sorce wrote:
> > On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
> >> On 06/20/2013 05:15 PM, Tomas Babej wrote:
> >>> Hi,
> >>>
> >>> Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
> >>> by pkiuser group.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/3727
> >>>
> >>> Tomas
> >>>
> >>
> >> NACK. This won't fly. pkiuser is created by FreeIPA when server is
> >> installed,
> >> thus you cannot just simply change ownership in our spec file because in
> >> the
> >> time when package is installed or updated, pkiuser may not exist.
> >>
> >> I think you need to delete the %attr from spec file and set the correct
> >> ownership during ipa-{server,ca}-install. When CA is configured, we should
> >> also
> >> probably let ipa-upgradeconfig check this directory and amend when
> >> necessary
> >> (to fix affected IPA CA instances).
> >
> > Probably even better to not create the directory via rpm at all, but
> > make ipa-ca-install create it and remove it when --uninstall is run.
> >
> > Simo.
>
> This could also work, sure. Could we then at least mark this directory in our
> spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives some
> information?
I guess so.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/20/2013 05:44 PM, Simo Sorce wrote:
> On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
>> On 06/20/2013 05:15 PM, Tomas Babej wrote:
>>> Hi,
>>>
>>> Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
>>> by pkiuser group.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3727
>>>
>>> Tomas
>>>
>>
>> NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
>> thus you cannot just simply change ownership in our spec file because in the
>> time when package is installed or updated, pkiuser may not exist.
>>
>> I think you need to delete the %attr from spec file and set the correct
>> ownership during ipa-{server,ca}-install. When CA is configured, we should
>> also
>> probably let ipa-upgradeconfig check this directory and amend when necessary
>> (to fix affected IPA CA instances).
>
> Probably even better to not create the directory via rpm at all, but
> make ipa-ca-install create it and remove it when --uninstall is run.
>
> Simo.
This could also work, sure. Could we then at least mark this directory in our
spec file as %ghost? So that "rpm -qf /var/lib/ipa/pki-ca/publish/" gives some
information?
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On Thu, 2013-06-20 at 17:33 +0200, Martin Kosek wrote:
> On 06/20/2013 05:15 PM, Tomas Babej wrote:
> > Hi,
> >
> > Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
> > by pkiuser group.
> >
> > https://fedorahosted.org/freeipa/ticket/3727
> >
> > Tomas
> >
>
> NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
> thus you cannot just simply change ownership in our spec file because in the
> time when package is installed or updated, pkiuser may not exist.
>
> I think you need to delete the %attr from spec file and set the correct
> ownership during ipa-{server,ca}-install. When CA is configured, we should
> also
> probably let ipa-upgradeconfig check this directory and amend when necessary
> (to fix affected IPA CA instances).
Probably even better to not create the directory via rpm at all, but
make ipa-ca-install create it and remove it when --uninstall is run.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0075] Change group ownership of CRL publish directory
On 06/20/2013 05:15 PM, Tomas Babej wrote:
> Hi,
>
> Spec file modified so that /var/lib/ipa/pki-ca/publish/ is owned
> by pkiuser group.
>
> https://fedorahosted.org/freeipa/ticket/3727
>
> Tomas
>
NACK. This won't fly. pkiuser is created by FreeIPA when server is installed,
thus you cannot just simply change ownership in our spec file because in the
time when package is installed or updated, pkiuser may not exist.
I think you need to delete the %attr from spec file and set the correct
ownership during ipa-{server,ca}-install. When CA is configured, we should also
probably let ipa-upgradeconfig check this directory and amend when necessary
(to fix affected IPA CA instances).
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
